People should avoid Wayland environments which use wlroots as the compositor such as Sway, since wlroots adds many of X11 weaknesses back including the ability for apps to record each other without prompting for permission.
I was hoping to actually research this or come across someone else who has. Unfortunately nobody has really shown any examples of it, a blog article or anything really concrete examining how it compares to say GNOME or KDE.
Which of course something I’d love to read.
if I understand correctly, here’s Sway’s permission model. It relies on a Wayland protocol that lets sandboxing tools like flatpak identify their apps. Sway only gates the screen recording and keyboard input APIs from those processes.
Do you have a source for this? I’d like to read up on it.
I remembered first seeing this claim on PrivSec.dev and went to check out their Linux articles but couldn’t seem to find it. I was curious so I took a look at the archives and it turns out Tommy Tran had this claim included in their “Choosing Your Desktop Linux Distribution” article for about 6-7 months from January 28 to at least June 26 (though probably till the end of July), only to finally remove it recently on July 31st. I don’t have the time to check for myself, but maybe they discussed why they made this claim (and later removed it) on their GitHub?
Thanks so much for the links (and for digging into the details),
edit: this is the commit where it was removed, no mention of why, The only note was “Remove KDE mentions & Reorganize images”
It is discussed here Remove KDE mentions & Reorganize images in the "Choosing your distro" post by TommyTran732 · Pull Request #267 · PrivSec-dev/privsec.dev · GitHub
2 posts were split to a new topic: Linux desktop environment security wrt screenshot privileges
PrivSec has an unfortunate habit of presenting their criticisms as factual instead of a matter of opinion.
I’m happy with the improvements made in Linux desktop environment security wrt screenshot privileges - #3 by redoomed1 which cover GNOME’s design without discouraging the use of sway or others.
The reality is that the way this is currently handled in most DEs is no different than how it’s handled in mainstream operating systems like Windows, nor how it’s always been handled in Linux, where I have not heard of any real-world attacks where this has been exploited. Thus I see no reason to essentially start fearmongering about wlroots/sway/kde.
I’m okay to mark this proposal as rejected unless anyone has something else to add @team
I’m also okay with this, considering that I have not come across…
which I find to be a hard requirement to make bold claims like the one in the title of this thread.
Couldn’t resist chiming in here. Being interested in rust version of wayland compositors, I actually have investigated wlroots a bit, and pieces of it are problematic. So there are 3 pieces to the puzzle here:
- wlroots currently does not have (and has emphasized they are not focusing on) a security policy (source). This is a bit wild as currently no one has a way to actually point out vulnerabilities in a responsible manner. So its hard to actually find any investigation of its problems.
- The devs seems to not consider that memory corruption attacks and bugs are a huge attack surface (part of the reason why hardened_malloc by Graphene OS is such a good attack surface reduction tool). But wlroots is actually quite known for experiencing these memory corruption problems. The lack of proper documentation and security policy also means developers are not given enough guidance to implement wlroots well. (source, although take it with a grain of salt. Since the dev quoted has a history with freedesktop, although he is a very gifted dev). Pay special attention to the “why” portion.
- Now since the compositor is a critical piece of software (source ), it should ideally not be undocumented, developer-unfriendly, or ignored in terms of security testing and reporting.
So, I still think this warrants a discussion and not a dismissal. Although to be fair, I actually am not aware if these problems persist outside of compositors using wlroots too. Would be happy if someone else can chime in.
Thanks for adding this here! My knowledge of this isn’t up to speed to argue well enough about this but i did hear parts of what you wrote here.
We definitely need more input on this.
Realistically what are the alternative compositors people can choose from? They are all written in memory unsafe languages.
- Mutter (GNOME): C
- KWin (KDE): C++
- Hyprland: C++, also based on wlroots anyways
- ?
There’s a handful of compositors like Niri written in Rust that use Smithay instead of wlroots, but it seems silly to tell people that’s the only environment they should use.
Interestingly, System76’s COSMIC DE looks very promising, but it is still not even considered Alpha I don’t believe.
Very excited for COSMIC here
I think we can go by process of elimination:
- C++ has way more footguns for developers compared to C (example), especially for projects that lack proper documentation.
- Mutter is definitely actively working on security (example), and has clear documentations and guidance for developers (mutter docs vs wlroot docs).
- Finally, because of RHEL, Mutter also gets more eyes on it usually, leading to quick detections and fixes (example)
Do I think this means we should recommend non-wlroot wayland compositors only? I am not sure. But if we go by the idea of leading users away from potential footguns rather than the idea of only informing them of clear-cut, well-defined footguns (sounds funny ), I think its fine to recommend non-wlroots compositors (mostly Gnome honestly).
Its also tied in my mind to the idea of how PG does not recommend 1500 distros of linux, and instead only recommends a few. Similarly, we should just recommend one (preferably Gnome) and not try to cover all compositors/DEs/whatever else.
Well that is different than what the OP is asking for. I’m not really sure what you’re suggesting we actually change on the website?
We don’t have a page recommending DEs at all, because most people just stick with what comes preinstalled with their distro. Do you think we should add one?
My bad, I am not that great at these explanations. Let me rephrase the two different things I am talking about:
- The request to avoid Wayland environments which use wlroot as compositor is slightly reasonable in my opinion. All the above examples were given to support this hypothesis.
- The final paragraph is me wondering about what you just said: Instead of making it complex for the end-users by adding stuff about “avoiding wayland environments which use wlroots as compositor”, we should just directly recommend a DE or two which we feel is better for security by default. (Also, apparantly secureblue also recommends Gnome for the same reasons? (link))
These are the two different points I was trying to make. Please let me know if this is still not clear